FLAGSHIP ENGAGEMENT

AI Threat Hunting

AI does the work. A human owns the outcome.

Proactive hunt for the indicators of AI-driven attacks across your cloud and identity surface. SONAR maps the estate from a read-only API key in minutes. The operator hunts against the result, validating every detection before it lands in your report. Azure, AWS, GCP. Cloud and identity scope. Endpoint hunt explicitly out of scope.

Book a 30-Min Scoping Call Scope via Intake Talk to the Operator
◆ The Gap

When the Attacker Is an Agent, the Signals Shift.

Detection rules built for human attackers miss the fingerprint of an agent-driven operator. The timing is different. The enumeration patterns are different. The C2 cadence is different. The credential exfiltration paths are different. Your SOC has the data. The queries written for the last era do not see what is in it.

"What does the agent attacker look like in your telemetry?"
→ That is the hunt.
◆ What We Hunt

Four Hunt Patterns. Selected Per Engagement.

01

Agent-Driven Enumeration

Anomalous API call sequences inconsistent with human session pacing. Burst-then-quiet cycles, flat command-and-control patterns, deep recursive permission queries, identity graph walks. Detection coverage against CloudTrail, Azure Activity Logs, GCP Audit Logs, and IdP telemetry.

02

Credential Exfiltration from Coding Copilots

IAM anomalies, key reuse outside the deploying repository, secrets reaching production from inappropriate sources, sudden cross-tenant token activity. Detection coverage against the patterns: AWS access keys leaked via copilot context, GitHub PATs exfiltrated through system prompt extraction.

03

Sandbox Escape from Compromised Compute

Lateral movement from agent-hosting compute. Workload identities used outside their intended scope, container escape patterns, EKS, AKS, and GKE RBAC abuse, VM-to-storage privilege chains. The hunt assumes an AI agent is running somewhere in the estate and maps the blast radius from there.

04

Cloud Posture Drift Used as Initial Access

Orphaned identities, public storage, stale service principals, over-permissioned workload identities, conditional access gaps. Posture findings prioritized by exploitability against your specific environment, not by CVSS or a vendor's static scoring.

◆ Where We Hunt

The Telemetry Stack.

We work in the data you already have. The operator brings the query languages, the agent squad correlates the volume, SONAR maps the estate so the hunt starts with complete visibility.

Azure Sentinel + KQL
Activity logs, sign-in logs, MCAS, Defender for Cloud. The KQL surface where most Microsoft-shop hunts live.
AWS CloudTrail + Athena / Splunk
Management events, data events, IAM and STS activity, GuardDuty enrichment. CloudTrail is the foundation; the hunt is the queries on top.
GCP Audit Logs + Chronicle
Admin activity, data access, system events, and Chronicle for correlation. The hunt language where Chronicle is in place.
Identity Providers
Entra ID, Okta, Auth0 sign-in and token activity. Cross-tenant anomalies and conditional access bypass attempts.
SONAR Estate Map
Agentless cloud cartography from a read-only API key. Asset inventory, identity graph, and exposure surface, generated before the hunt begins.
SIEM-Agnostic Outputs
Splunk SPL, Sumo Logic, custom correlation queries written to run in your SIEM after we leave. You keep the queries.
◆ The Shape

How the Engagement Works.

Format
Scoped per environment. Fixed-fee at the close of the scoping call, before any work starts.
Duration
2 weeks for single cloud plus identity, 3-4 weeks for multi-cloud. Most engagements run 2-3 weeks.
In Scope
Azure, AWS, GCP cloud control plane. Identity providers. Workload identities. SaaS connected to the IdP.
Out of Scope
Endpoint hunt. EDR data review. Sustained MDR coverage. We do not stretch into work we are not set up to do cleanly.
Delivery
Operator-led, agent-augmented. SONAR for mapping, JARVIS for prior-engagement precedent, operator for the queries and validation.
Read-Only
All access is read-only. No agents installed. No production impact.
◆ Pricing

Scope on the Call.

Hunt scope varies more than testing scope. The fee depends on how many clouds, how much identity surface, and what telemetry you already have queryable. We scope on a 30-min call so the price matches the environment, not a marketing tier. Pricing is fixed at the close of the scoping call, before any work starts.

Book a 30-Min Scoping Call Or send us the details
◆ What You Walk Away With

Deliverables

  • Hunt report with operator-validated detections. No false positives passed through.
  • SONAR estate map and identity graph snapshot as of the hunt window
  • Detection queries you keep, written in KQL, SPL, or BigQuery to run in your SIEM after we leave
  • Plain-language summary your leadership and board can act on
  • Prioritized remediation for posture findings surfaced during the hunt
  • Live walkthrough of both deliverables with the operator

Book a 30-Min Scoping Call

Tell us what stack we are hunting in. We will come back with scope, timeline, and fee at the close of the call.

Book a Scoping Call Or send us the details